About jstoner

jstoner

Today we are going to introduce a string function that takes base64 data and decodes it in search and YARA-L rules. While we don’t often see base64 data sitting all by itself within a UDM field, this command is often applied to placeholder variables ...

jstoner

In our previous two blogs (Part 1 and Part 2), we discussed how to set up and configure an application in Entra ID and assign permissions to access Entra ID and Office 365 events. You might be thinking at this point, I’m here to work with Google SecO...

jstoner

We’re back with part two of our Entra ID and Office 365 integration into Google SecOps blog. In our previous blog, we focused on creating an application in Entra ID and gathering key values that we will use to set up our feeds. While we created our a...

jstoner

Recently, I received a question about how Entra ID (formerly Azure Active Directory) and Office 365 can be integrated into the Google Security Operations (SecOps) platform. This isn’t the first time this has been raised and while we do have documenta...

jstoner

Today we will go deeper into using regular expressions in rules with the introduction of the function re.capture. re.capture provides us a way to extract a portion of a value within a field. From there, we can compare that portion to another value, w...

jstoner

I did a little bit of testing on this today and at this time, I believe this is one of those instances where the search interface is a little more flexible to handle variability in key names. The rules engine has always had strict named key checking....

jstoner

I believe these are decent references to the kinds of things one would be able to access for an Exchange server but I have not done it myself. It does leverage Syslog based on the parser list and again this is based on you owning the Exchange system,...

jstoner

Based on what you described, this is how I would approach this, though there are likely other ways and additional complexity that might need to go into the risk score. In the example below, I generated two different counts, one is a count of the proc...

jstoner

I will continue with @AymanC example but refine it a bit based on your comment. When comparing the stats search to Splunk SPL, think of the stats command as two pieces, there is the aggregation functions like max and count, which we put into the outc...

jstoner

Aside from what Office 365 provides with Exchange Audit, the only other option that is native Microsoft would be the Message Trace (OFFICE_365_MESSAGETRACE) which provides sender, receiver, subject and some other metrics around attachment size and th...

My Stats

jstoner's Bio

Badges jstoner Earned

Recent Activity

Getting to Know Google SecOps: String Function: strings.base64_decode

New to Google SecOps: Integrating Entra ID and Office 365 Using Feed Management (Part 3)

New to Google SecOps: Integrating Entra ID and Office 365 Using Feed Management (Part 2)

New to Google SecOps: Integrating Entra ID and Office 365 Using Feed Management (Part 1)

Getting to Know Google SecOps: Regular Expression Function: re.capture

Re: Key_value_UDM_fields

Re: Exchange logs to Chronicle SIEM

Re: Risk Score Based on Distinct Criteria

Re: stats aggregate SIEM search output - using 'max(time)'

Re: Exchange logs to Chronicle SIEM